# GitLab Container Registry Administration Documentation on how to use Container Registry are under [TODO](TODO.md). ## Configuration Containers can be large in size and they are stored on the server GitLab is installed on. The Container Registry works under HTTPS by default. This means that the Container Registry requires a SSL certificate. There are two options on how this can be configured: 1. Use its own domain - needs a SSL certificate for that specific domain (eg. registry.example.com) or a wildcard certificate if hosted under a subdomain (eg. registry.gitlab.example.com) 1. Use existing GitLab domain and expose the registry on a port - can reuse existing GitLab SSL certificate Note that using HTTP is possible, [see insecure Registry document.](https://github.com/docker/distribution/blob/master/docs/insecure.md) Please take this into consideration before configuring Container Registry for the first time. ## Container Registry under its own domain Lets assume that you want the Container Registry to be accessible at `https://registry.gitlab.example.com`. ### Omnibus GitLab packages Place your SSL certificate and key in `/etc/gitlab/ssl/registry.gitlab.example.com.crt` and `/etc/gitlab/ssl/registry.gitlab.example.com.key` and make sure they have correct permissions: ```bash chmod 600 /etc/gitlab/ssl/registry.gitlab.example.com.* ``` Once the SSL certificate is in place, edit `/etc/gitlab/gitlab.rb` with: ```ruby registry_external_url 'https://registry.gitlab.example.com' ``` Save the file and [reconfigure GitLab][] for the changes to take effect. Users should now be able to login to the Container Registry using: ```bash docker login registry.gitlab.example.com ``` with their GitLab credentials. If you have a [wildcard certificate][], you need to specify the path to the certificate in addition to the URL, in this case `/etc/gitlab/gitlab.rb` will look like: ```ruby registry_external_url 'https://registry.gitlab.example.com' registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/certificate.pem" registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/certificate.key" ``` ## Container Registry under existing GitLab domain Lets assume that your GitLab instance is accessible at `https://gitlab.example.com`. You can expose the Container Registry under a separate port. Lets assume that you've exposed port `4567` in your network firewall. ### Omnibus GitLab packages Your `/etc/gitlab/gitlab.rb` should contain the Container Registry URL as well as the path to the existing SSL certificate and key used by GitLab. ```ruby registry_external_url 'https://gitlab.example.com:4567' ## If your SSL certificate is not in /etc/gitlab/ssl/gitlab.example.com.crt ## and key not in /etc/gitlab/ssl/gitlab.example.com.key uncomment the lines ## below # registry_nginx['ssl_certificate'] = "/path/to/certificate.pem" # registry_nginx['ssl_certificate_key'] = "/path/to/certificate.key" ``` Save the file and [reconfigure GitLab][] for the changes to take effect. Users should now be able to login to the Container Registry using: ```bash docker login gitlab.example.com:4567 ``` with their GitLab credentials. ## Container Registry storage path It is possible to change path where containers will be stored by the Container Registry. ### Omnibus GitLab packages By default, the path Container Registry is using to store the containers is in `/var/opt/gitlab/gitlab-rails/shared/registry`. This path is accessible to the user running the Container Registry daemon, user running GitLab and to the user running Nginx web server. In `/etc/gitlab/gitlab.rb`: ```ruby gitlab_rails['registry_path'] = "/path/to/registry/storage" ``` Save the file and [reconfigure GitLab][] for the changes to take effect. **NOTE** You should confirm that the GitLab, registry and the web server user have access to this directory. [reconfigure gitlab]: ../../administration/restart_gitlab.md "How to restart GitLab documentation" [wildcard certificate]: "https://en.wikipedia.org/wiki/Wildcard_certificate"